There are some minor updates here from last time: * added a def_bool instead of separate lines in config * clarified that the /proc interface is *GONE* cc'ing a bunch of folks directly now instead of depending on linux-arch@ to awaken them. I think it's most appropriate for this to go in via the security tree, but I guess it could also go directly to Linus. -- From: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx> There are 7 architecures with "config SECCOMP". They all have virtually the same help text except for those referencing the /proc interface. The /proc interface was removed in 2007. There is *NOTHING* architecture-specific about SECCOMP except that the syscalls have per-architecture definitions, like every other syscall. It is absurd to have the option in the arch-specific menus. Move it to the security menu, consolidate the 7 down to one, and remove the embarassingly-ancient help text references and dependencies on /proc. Signed-off-by: Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx> Cc: linux-security-module@xxxxxxxxxxxxxxx Cc: linux-arch@xxxxxxxxxxxxxxx Cc: Stephen Rothwell <sfr@xxxxxxxxxxxxxxxx> Cc: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> Cc: Russell King <linux@xxxxxxxxxxxxxxxx> Cc: Michal Simek <monstr@xxxxxxxxx> Cc: Ralf Baechle <ralf@xxxxxxxxxxxxxx> Cc: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx> Cc: Paul Mackerras <paulus@xxxxxxxxx> Cc: Martin Schwidefsky <schwidefsky@xxxxxxxxxx> Cc: Heiko Carstens <heiko.carstens@xxxxxxxxxx> Cc: Paul Mundt <lethal@xxxxxxxxxxxx> Cc: x86@xxxxxxxxxx Cc: James Morris <james.l.morris@xxxxxxxxxx> --- b/arch/arm/Kconfig | 15 +-------------- b/arch/microblaze/Kconfig | 18 +----------------- b/arch/mips/Kconfig | 18 +----------------- b/arch/powerpc/Kconfig | 18 +----------------- b/arch/s390/Kconfig | 18 +----------------- b/arch/sh/Kconfig | 17 +---------------- b/arch/sparc/Kconfig | 18 +----------------- b/arch/x86/Kconfig | 17 +---------------- b/security/Kconfig | 21 ++++++++++++++++++++- 9 files changed, 28 insertions(+), 132 deletions(-) diff -puN arch/arm/Kconfig~consolidate-seccomp-options arch/arm/Kconfig --- a/arch/arm/Kconfig~consolidate-seccomp-options 2014-01-29 11:02:31.576007335 -0800 +++ b/arch/arm/Kconfig 2014-01-29 11:02:31.611008920 -0800 @@ -27,6 +27,7 @@ config ARM select HAVE_ARCH_JUMP_LABEL if !XIP_KERNEL select HAVE_ARCH_KGDB select HAVE_ARCH_SECCOMP_FILTER if (AEABI && !OABI_COMPAT) + select HAVE_ARCH_SECCOMP select HAVE_ARCH_TRACEHOOK select HAVE_BPF_JIT select HAVE_CONTEXT_TRACKING @@ -1874,20 +1875,6 @@ config UACCESS_WITH_MEMCPY However, if the CPU data cache is using a write-allocate mode, this option is unlikely to provide any performance gain. -config SECCOMP - bool - prompt "Enable seccomp to safely compute untrusted bytecode" - ---help--- - This kernel feature is useful for number crunching applications - that may need to compute untrusted bytecode during their - execution. By using pipes or other transports made available to - the process as file descriptors supporting the read/write - syscalls, it's possible to isolate those applications in - their own address space using seccomp. Once seccomp is - enabled via prctl(PR_SET_SECCOMP), it cannot be disabled - and the task is only allowed to execute a few safe syscalls - defined by each seccomp mode. - config SWIOTLB def_bool y diff -puN arch/microblaze/Kconfig~consolidate-seccomp-options arch/microblaze/Kconfig --- a/arch/microblaze/Kconfig~consolidate-seccomp-options 2014-01-29 11:02:31.578007425 -0800 +++ b/arch/microblaze/Kconfig 2014-01-29 11:02:31.612008965 -0800 @@ -11,6 +11,7 @@ config MICROBLAZE select ARCH_WANT_OPTIONAL_GPIOLIB select HAVE_OPROFILE select HAVE_ARCH_KGDB + select HAVE_ARCH_SECCOMP select HAVE_DMA_ATTRS select HAVE_DMA_API_DEBUG select TRACING_SUPPORT @@ -109,23 +110,6 @@ config CMDLINE_FORCE Set this to have arguments from the default kernel command string override those passed by the boot loader. -config SECCOMP - bool "Enable seccomp to safely compute untrusted bytecode" - depends on PROC_FS - default y - help - This kernel feature is useful for number crunching applications - that may need to compute untrusted bytecode during their - execution. By using pipes or other transports made available to - the process as file descriptors supporting the read/write - syscalls, it's possible to isolate those applications in - their own address space using seccomp. Once seccomp is - enabled via /proc/<pid>/seccomp, it cannot be disabled - and the task is only allowed to execute a few safe syscalls - defined by each seccomp mode. - - If unsure, say Y. Only embedded should say N here. - endmenu menu "Advanced setup" diff -puN arch/mips/Kconfig~consolidate-seccomp-options arch/mips/Kconfig --- a/arch/mips/Kconfig~consolidate-seccomp-options 2014-01-29 11:02:31.580007516 -0800 +++ b/arch/mips/Kconfig 2014-01-29 11:02:31.613009010 -0800 @@ -11,6 +11,7 @@ config MIPS select PERF_USE_VMALLOC select HAVE_ARCH_KGDB select HAVE_ARCH_TRACEHOOK + select HAVE_ARCH_SECCOMP select ARCH_HAVE_CUSTOM_GPIO_H select HAVE_FUNCTION_TRACER select HAVE_FUNCTION_TRACE_MCOUNT_TEST @@ -2307,23 +2308,6 @@ config PHYSICAL_START specified in the "crashkernel=YM@XM" command line boot parameter passed to the panic-ed kernel). -config SECCOMP - bool "Enable seccomp to safely compute untrusted bytecode" - depends on PROC_FS - default y - help - This kernel feature is useful for number crunching applications - that may need to compute untrusted bytecode during their - execution. By using pipes or other transports made available to - the process as file descriptors supporting the read/write - syscalls, it's possible to isolate those applications in - their own address space using seccomp. Once seccomp is - enabled via /proc/<pid>/seccomp, it cannot be disabled - and the task is only allowed to execute a few safe syscalls - defined by each seccomp mode. - - If unsure, say Y. Only embedded should say N here. - config USE_OF bool select OF diff -puN arch/powerpc/Kconfig~consolidate-seccomp-options arch/powerpc/Kconfig --- a/arch/powerpc/Kconfig~consolidate-seccomp-options 2014-01-29 11:02:31.599008376 -0800 +++ b/arch/powerpc/Kconfig 2014-01-29 11:02:31.613009010 -0800 @@ -102,6 +102,7 @@ config PPC select HAVE_EFFICIENT_UNALIGNED_ACCESS if !CPU_LITTLE_ENDIAN select HAVE_KPROBES select HAVE_ARCH_KGDB + select HAVE_ARCH_SECCOMP select HAVE_KRETPROBES select HAVE_ARCH_TRACEHOOK select HAVE_MEMBLOCK @@ -634,23 +635,6 @@ config ARCH_WANTS_FREEZER_CONTROL source kernel/power/Kconfig -config SECCOMP - bool "Enable seccomp to safely compute untrusted bytecode" - depends on PROC_FS - default y - help - This kernel feature is useful for number crunching applications - that may need to compute untrusted bytecode during their - execution. By using pipes or other transports made available to - the process as file descriptors supporting the read/write - syscalls, it's possible to isolate those applications in - their own address space using seccomp. Once seccomp is - enabled via /proc/<pid>/seccomp, it cannot be disabled - and the task is only allowed to execute a few safe syscalls - defined by each seccomp mode. - - If unsure, say Y. Only embedded should say N here. - endmenu config ISA_DMA_API diff -puN arch/s390/Kconfig~consolidate-seccomp-options arch/s390/Kconfig --- a/arch/s390/Kconfig~consolidate-seccomp-options 2014-01-29 11:02:31.601008466 -0800 +++ b/arch/s390/Kconfig 2014-01-29 11:02:31.614009055 -0800 @@ -105,6 +105,7 @@ config S390 select HAVE_ALIGNED_STRUCT_PAGE if SLUB select HAVE_ARCH_JUMP_LABEL if !MARCH_G5 select HAVE_ARCH_SECCOMP_FILTER + select HAVE_ARCH_SECCOMP select HAVE_ARCH_TRACEHOOK select HAVE_ARCH_TRANSPARENT_HUGEPAGE if 64BIT select HAVE_BPF_JIT if 64BIT && PACK_STACK @@ -607,23 +608,6 @@ menu "Executable file formats / Emulatio source "fs/Kconfig.binfmt" -config SECCOMP - def_bool y - prompt "Enable seccomp to safely compute untrusted bytecode" - depends on PROC_FS - help - This kernel feature is useful for number crunching applications - that may need to compute untrusted bytecode during their - execution. By using pipes or other transports made available to - the process as file descriptors supporting the read/write - syscalls, it's possible to isolate those applications in - their own address space using seccomp. Once seccomp is - enabled via /proc/<pid>/seccomp, it cannot be disabled - and the task is only allowed to execute a few safe syscalls - defined by each seccomp mode. - - If unsure, say Y. - endmenu menu "Power Management" diff -puN arch/sh/Kconfig~consolidate-seccomp-options arch/sh/Kconfig --- a/arch/sh/Kconfig~consolidate-seccomp-options 2014-01-29 11:02:31.602008512 -0800 +++ b/arch/sh/Kconfig 2014-01-29 11:02:31.614009055 -0800 @@ -10,6 +10,7 @@ config SUPERH select HAVE_OPROFILE select HAVE_GENERIC_DMA_COHERENT select HAVE_ARCH_TRACEHOOK + select HAVE_ARCH_SECCOMP select HAVE_DMA_API_DEBUG select HAVE_DMA_ATTRS select HAVE_PERF_EVENTS @@ -680,22 +681,6 @@ config PHYSICAL_START where the fail safe kernel needs to run at a different address than the panic-ed kernel. -config SECCOMP - bool "Enable seccomp to safely compute untrusted bytecode" - depends on PROC_FS - help - This kernel feature is useful for number crunching applications - that may need to compute untrusted bytecode during their - execution. By using pipes or other transports made available to - the process as file descriptors supporting the read/write - syscalls, it's possible to isolate those applications in - their own address space using seccomp. Once seccomp is - enabled via prctl, it cannot be disabled and the task is only - allowed to execute a few safe syscalls defined by each seccomp - mode. - - If unsure, say N. - config SMP bool "Symmetric multi-processing support" depends on SYS_SUPPORTS_SMP diff -puN arch/sparc/Kconfig~consolidate-seccomp-options arch/sparc/Kconfig --- a/arch/sparc/Kconfig~consolidate-seccomp-options 2014-01-29 11:02:31.604008603 -0800 +++ b/arch/sparc/Kconfig 2014-01-29 11:02:31.615009101 -0800 @@ -67,6 +67,7 @@ config SPARC64 select HAVE_SYSCALL_TRACEPOINTS select HAVE_CONTEXT_TRACKING select HAVE_DEBUG_KMEMLEAK + select HAVE_ARCH_SECCOMP select RTC_DRV_CMOS select RTC_DRV_BQ4802 select RTC_DRV_SUN4V @@ -223,23 +224,6 @@ config EARLYFB help Say Y here to enable a faster early framebuffer boot console. -config SECCOMP - bool "Enable seccomp to safely compute untrusted bytecode" - depends on SPARC64 && PROC_FS - default y - help - This kernel feature is useful for number crunching applications - that may need to compute untrusted bytecode during their - execution. By using pipes or other transports made available to - the process as file descriptors supporting the read/write - syscalls, it's possible to isolate those applications in - their own address space using seccomp. Once seccomp is - enabled via /proc/<pid>/seccomp, it cannot be disabled - and the task is only allowed to execute a few safe syscalls - defined by each seccomp mode. - - If unsure, say Y. Only embedded should say N here. - config HOTPLUG_CPU bool "Support for hot-pluggable CPUs" depends on SPARC64 && SMP diff -puN arch/x86/Kconfig~consolidate-seccomp-options arch/x86/Kconfig --- a/arch/x86/Kconfig~consolidate-seccomp-options 2014-01-29 11:02:31.606008693 -0800 +++ b/arch/x86/Kconfig 2014-01-29 11:02:31.616009147 -0800 @@ -102,6 +102,7 @@ config X86 select GENERIC_SMP_IDLE_THREAD select ARCH_WANT_IPC_PARSE_VERSION if X86_32 select HAVE_ARCH_SECCOMP_FILTER + select HAVE_ARCH_SECCOMP select BUILDTIME_EXTABLE_SORT select GENERIC_CMOS_UPDATE select HAVE_ARCH_SOFT_DIRTY @@ -1584,22 +1585,6 @@ config EFI_STUB See Documentation/efi-stub.txt for more information. -config SECCOMP - def_bool y - prompt "Enable seccomp to safely compute untrusted bytecode" - ---help--- - This kernel feature is useful for number crunching applications - that may need to compute untrusted bytecode during their - execution. By using pipes or other transports made available to - the process as file descriptors supporting the read/write - syscalls, it's possible to isolate those applications in - their own address space using seccomp. Once seccomp is - enabled via prctl(PR_SET_SECCOMP), it cannot be disabled - and the task is only allowed to execute a few safe syscalls - defined by each seccomp mode. - - If unsure, say Y. Only embedded should say N here. - source kernel/Kconfig.hz config KEXEC diff -puN security/Kconfig~consolidate-seccomp-options security/Kconfig --- a/security/Kconfig~consolidate-seccomp-options 2014-01-29 11:02:31.607008738 -0800 +++ b/security/Kconfig 2014-01-29 11:02:31.616009147 -0800 @@ -167,5 +167,24 @@ config DEFAULT_SECURITY default "yama" if DEFAULT_SECURITY_YAMA default "" if DEFAULT_SECURITY_DAC -endmenu +config HAVE_ARCH_SECCOMP + bool + +config SECCOMP + def_bool y + depends on HAVE_ARCH_SECCOMP + prompt "Enable seccomp to safely compute untrusted bytecode" + ---help--- + This kernel feature is useful for number crunching applications + that may need to compute untrusted bytecode during their + execution. By using pipes or other transports made available to + the process as file descriptors supporting the read/write + syscalls, it's possible to isolate those applications in + their own address space using seccomp. Once seccomp is + enabled via prctl(PR_SET_SECCOMP), it cannot be disabled + and the task is only allowed to execute a few safe syscalls + defined by each seccomp mode. + If unsure, say Y. Only embedded should say N here. + +endmenu _ -- To unsubscribe from this list: send the line "unsubscribe linux-arch" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
